Permissions, Privileges, and Access Controls in Firefox for Android - CVE-2020-26964
Published: November 17, 2020
Vulnerability identifier: #VU48477
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-26964
CWE-ID: CWE-264
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Mozilla
Affected software:
Firefox for Android
Firefox for Android
Detailed vulnerability description
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to the way Remote Debugging via USB feature behaves on older versions of Android OS. If the Remote Debugging via USB feature was enabled in Firefox for
Android on an Android version prior to Android 6.0, untrusted apps could
have connected to the feature and operated with the privileges of the
browser to read and interact with web content. The feature was
implemented as a unix domain socket, protected by the Android SELinux
policy; however, SELinux was not enforced for versions prior to 6.0.
How to mitigate CVE-2020-26964
Install updates from vendor's website.